Zerodium Offers $1 Million for Tor Browser 0-Days That It will Resell to Governments

Description

It seems like Tor Browser zero-day exploits are in high demand right now—so much so that someone is ready to pay ONE MILLION dollars.

Zerodium—a company that specialises in acquiring and reselling zero-day exploits—just announced that it will pay up to USD 1,000,000 for working zero-day exploits for the popular Tor Browser on Tails Linux and Windows operating system.

Tor browser users should take this news an early warning, especially who use Tails OS to protect their privacy.

Zero-day exploit acquisition platform has also published some rules and payout details on its website, announcing that the payout for Tor exploits with no JavaScript has been kept double than those with JavaScript enabled.

The company has also clearly mentioned that the exploit must leverage remote code execution vulnerability, the initial attack vector should be a web page and it should work against the latest version of Tor Browser.

Moreover, the zero-day Tor exploit must work without requiring any user interaction, except for victims to visit a web page.

Other attack vectors such as delivery via malicious document are not eligible for this bounty, but ZERODIUM may, at its sole discretion, make a distinct offer to acquire such exploits.

Zerodium to Sell Tor Browser 0-Days to Law Enforcement Agencies

Although the zero-day market has long been a lucrative business for private firms that regularly offer more payouts for undisclosed vulnerabilities than big technology companies, Zerodium says that it wants to resell the Tor browser exploits to law enforcement agencies to fight crime.

In a FAQ, the company has admitted that it will sell the acquired Tor zero-days to law enforcement agencies, and possibly the commercial malware development companies who sell spyware to governments.

> "In many cases, [Tor] used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all," Zerodium said.

In response to the Zerodium bounty program, Tor Project says that breaching the security of its anonymity software may risk lives of many users, including human rights defenders, activists, lawyers, and researchers, who rely on it.

The non-profit foundation also urges researchers and hackers to responsibly disclose vulnerabilities in Tor via its recently-launched bug bounty program.

> "We think the amount of the bounty is a testament to the security we provide. We think it's in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty," Tor Project spokesperson told The Hacker News.

> "Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it's life or death. Participating in Zerodium's program would put our most at-risk users' lives at stake."

Payouts for Tor Browser 0-Day RCE Exploits

Here is the list of Zerodium's payouts for Tor Browser Exploits:

RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) without JavaScript: $250,000

Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) without JavaScript: $185,000

RCE+LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) with JavaScript: $125,000

Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) with JavaScript: $85,000

RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) without JavaScript: $200,000

Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) without JavaScript: $175,000

RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) with JavaScript: $100,000

Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) with JavaScript: $75,000

Those interested can submit their exploit until November 30th, 2017 at 6:00 pm EDT. The company also notes that the bounty may be terminated before its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

Protected by

{"id": "THN:8CC9591934D9BAFF400300C02A7EC63E", "type": "thn", "bulletinFamily": "info", "title": "Zerodium Offers $1 Million for Tor Browser 0-Days That It will Resell to Governments", "description": "[![tor-zero-day-exploits-hacking](https://2.bp.blogspot.com/-51l05lELvPg/Wbk6VWbPHYI/AAAAAAAAAI8/5dvo3D5QEdMNuZHvVHpW7Pld11toZrKQgCLcBGAs/s1600/tor-zero-day-exploits-hacking.png)](<https://2.bp.blogspot.com/-51l05lELvPg/Wbk6VWbPHYI/AAAAAAAAAI8/5dvo3D5QEdMNuZHvVHpW7Pld11toZrKQgCLcBGAs/s1600/tor-zero-day-exploits-hacking.png>)\n\nIt seems like Tor Browser zero-day exploits are in high demand right now\u2014so much so that someone is ready to pay ONE MILLION dollars. \n \nZerodium\u2014a company that specialises in acquiring and reselling zero-day exploits\u2014just [announced](<https://zerodium.com/tor.html>) that it will pay up to USD 1,000,000 for working zero-day exploits for the popular Tor Browser on Tails Linux and Windows operating system. \n \nTor browser users should take this news an early warning, especially who use Tails OS to protect their privacy. \n \nZero-day exploit acquisition platform has also published some rules and payout details on its website, announcing that the payout for Tor exploits with no JavaScript has been kept double than those with JavaScript enabled. \n \nThe company has also clearly mentioned that the exploit must leverage remote code execution vulnerability, the initial attack vector should be a web page and it should work against the latest version of Tor Browser. \n \nMoreover, the zero-day Tor exploit must work without requiring any user interaction, except for victims to visit a web page. \n \nOther attack vectors such as delivery via malicious document are not eligible for this bounty, but ZERODIUM may, at its sole discretion, make a distinct offer to acquire such exploits. \n \n\n\n### Zerodium to Sell Tor Browser 0-Days to Law Enforcement Agencies\n\n \nAlthough the zero-day market has long been a lucrative business for private firms that regularly offer more payouts for undisclosed vulnerabilities than big technology companies, Zerodium says that it wants to resell the Tor browser exploits to law enforcement agencies to fight crime. \n \nIn a FAQ, the company has admitted that it will sell the acquired Tor zero-days to law enforcement agencies, and possibly the commercial malware development companies who sell spyware to governments. \n\n\n> \"In many cases, [Tor] used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all,\" Zerodium said.\n\nIn response to the Zerodium bounty program, Tor Project says that breaching the security of its anonymity software may risk lives of many users, including human rights defenders, activists, lawyers, and researchers, who rely on it. \n \nThe non-profit foundation also urges researchers and hackers to responsibly disclose vulnerabilities in Tor via its recently-launched [bug bounty program](<https://thehackernews.com/2017/07/tor-bug-bounty-program.html>). \n\n\n> \"We think the amount of the bounty is a testament to the security we provide. We think it's in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty,\" Tor Project spokesperson told The Hacker News.\n\n> \"Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it's life or death. Participating in Zerodium's program would put our most at-risk users' lives at stake.\"\n\n \n\n\n### Payouts for Tor Browser 0-Day RCE Exploits\n\n \nHere is the list of Zerodium's payouts for Tor Browser Exploits: \n \n\n\n * RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) without JavaScript: **$250,000**\n * Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) without JavaScript: **$185,000**\n * RCE+LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) with JavaScript: **$125,000**\n * Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) with JavaScript: **$85,000**\n * RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) without JavaScript: **$200,000**\n * Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) without JavaScript: **$175,000**\n * RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) with JavaScript: **$100,000**\n * Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) with JavaScript: **$75,000**\n \n \nThose interested can submit their exploit until November 30th, 2017 at 6:00 pm EDT. The company also notes that the bounty may be terminated before its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).\n", "published": "2017-09-13T03:03:00", "modified": "2017-09-13T15:00:20", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2017/09/tor-zero-day-exploits.html", "reporter": "Swati Khandelwal", "references": [], "cvelist": [], "lastseen": "2018-01-27T10:06:55", "history": [], "viewCount": 1, "enchantments": {"score": {"vector": "NONE", "value": 9.3}, "vulnersScore": 9.3}, "objectVersion": "1.4", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"]}